In this specification the concept of short-range wireless data transmission connection refers primarily to such connections in which two or more devices or entities that are located relatively close to each other can communicate with each other in a wireless manner. In the communication it can be possible to apply for example radio communication, infrared communication, inductive communication, or the like. For example the Bluetooth™ technology, in which low-power radio transmitters and radio receivers are used, has been developed for the purpose of short-range radio communication. Such devices can communicate with each other and thereby form an ad-hoc network. For example, by applying short-range communication technology peripheral devices can be wirelessly connected to a computer. Furthermore, for example, a wireless communication device can be coupled to a portable computer, where from the computer it can be possible to have a wireless connection to another communication network, such as the Internet. Thus, a situation may occur in which, the user has to enter his/her user identification and password when he/she sets up a connection to a data network by means of the portable computer. Thus, without encryption between the portable computer and a wireless communication device connected thereto with a short-range wireless connection, there can be a risk eavesdropping on the user identification and password transmission.
Other possible implementation areas for short-range data transmission connections that can be mentioned in this context include wireless local area network (WLAN) techniques such as IEEE 802.11 (e.g., 802.11a, 802.11b, 802.11g, 802.11n, etc.), WiMAX techniques such as IEEE 802.16, ultra wideband (UWB) techniques such as IEEE 802.15, wireless universal serial bus (WUSB) techniques, wireless pay terminal techniques and wirelessly operating lock techniques. By means of techniques such as WLAN, WiMAX, UWB and WUSB, for example, small office facilities can implement a LAN including several computers without having to conduct cabling. In a wireless pay terminal system, for example, a user can pay bills by means of a wireless communication device that includes contains short-range communication means. Thus, a short-range data connection can be set up between the wireless communication device and the pay terminal for the purpose of paying bills. Correspondingly, in a wirelessly operating lock the user has a key that communicates wirelessly with the lock to ensure that the key in question is intended for controlling the function of this particular lock. Such a key may be implemented as a separate key, or it may be implemented in connection with another device, such as a wireless communication device.
In such communication systems it can be problematic how the different parties in the communication can be sure that the devices in question are really authorized to the communication process. This can be important especially in such situations where confidential information is transferred between different devices. In the aforementioned pay terminal embodiment, for example, the pay terminal has to ensure that the device used in the payment transaction really is the device used by the account holder in question or a person authorized by the account holder. Also in the lock embodiment, for example, the lock has to ensure the authenticity of the key before the lock is opened. In such embodiments, for the purpose of verifying the parties, the communication between the devices has to be protected as well as possible from outside intruders, such as eavesdroppers and intervening parties. To take these safety aspects into account, a number of different encryption mechanisms have been developed, such as for Bluetooth™ systems. The techniques that are used include, for example, a key pair (PKI—Public Key Infrastructure) including of a public key and a private key. In such an arrangement, the user has a public key and a certificate from the PKI that he/she can send unencrypted to a counterparty, and a private key that does not have to be transferred to the communication system at any stage, but is instead maintained in secrecy. Thus, it can be possible to transmit encrypted information to the user by encrypting the information with the public key. The user can decrypt the information with his/her private key.
One drawback of the asymmetric encryption system of the above kind is that it can be relatively slow, where encryption of large amounts of information considerably decelerates data transmission. Another drawback of such an asymmetric encryption system is that if there is no certificate for the public key, the counterparty cannot trust the public key it receives from the user because an unauthorized party may have replaced the public key with his own public key. In ad hoc scenarios, the presence of a certificate authority for authenticating the exchange of public keys can generally not be assumed, thereby requiring other means for authenticating the exchange of public keys.
Communication systems also apply symmetric encryption techniques in which both parties of the communication share the same private key (shared, secret key). A problem in this arrangement can be, for example, how this private key can be transmitted to another device so that an outsider cannot find out the private key. In some cases the user himself/herself can enter this private key to different devices. In a device according to the Bluetooth™ system this private key can be utilized to calculate a link key used in the radio communication, by means of which link key the actual information to be transmitted is encrypted. The maximum length determined for the link key is 128 bits, where the length of the private key should be at least 32 characters. It can be laborious to enter such a string containing 32 characters, and there can be high probability of errors, especially when the string has to be entered successively at least twice without errors before the connection can be set up.
One encryption technique designed to overcome the drawbacks of the aforementioned asymmetric and symmetric encryption systems is disclosed in U.S. Pat. No. 5,241,599. In this regard, the '599 patent discloses a technique for encrypted key exchange (EKE) in which the encryption key used in the communication is first encrypted with a short encryption key, after which the encryption key can be transmitted in the encrypted format from one device to another via an unencrypted communication channel. In short-range systems this technique can be applied in such a manner that the user enters the short encryption key into both devices, after which both devices transmit the encryption key of their own to the other device, encrypted with a short encryption key. However, such systems may experience a drawback in that the encryption efficiency depends, for example, upon how often the user changes this short encryption key. Furthermore such a short encryption key selected by the user can be guessed relatively easily, and therefore when the technique is applied, it is possible that outsiders find out the short encryption key.
There is also a known so-called Diffie-Hellman technique, which is based on exponentiation modulo of a large prime number. In this regard, on the basis of such an exponentiation modulo, the difficulty in breaking encryption implemented with the Diffie-Hellman technique is today regarded as being directly proportional to the difficulty of calculating discrete logarithms modulo of a large prime number. The Diffie-Hellman technique is a public key based algorithm generally used especially in key exchange. The technique is often considered safe when keys of sufficient length and an appropriate Diffie-Hellman generator are used.
In accordance with the Diffie-Hellman technique, a first party determines a first key number on the basis of a first secret number and the first key number is transmitted to a second party. Correspondingly, the second party determines a second key number on the basis of a second secret number and the second key number is transmitted to the first party. Thereafter the first party generates a third key number on the basis of the first secret number and the second key number it has received, and the second party generates a fourth key number on the basis of the second secret number and the first key number it has received. The third and the fourth key numbers are identical, and they are not transmitted between the parties involved. The third and the fourth key number can thereafter be used for encryption and decryption of information to be transmitted between the parties.
In Diffie-Hellman technique as in other techniques (asymmetric) exchanging public keys without external means (e.g., certificate) for authenticating the public keys, however, a third party may be capable of changing the first key number or the second key number. This can take place, for example, in such a manner that the third party places itself between the first and the second party (MIM—Man in the Middle), wherein the first party mistakes the third party for the second party, and, in a corresponding manner, the second party mistakes the third party for the first party. Thus, in practice, data can be transmitted between the first and the second party via the third party, and the third party can detect both the messages transmitted by the first party and the messages transmitted by the second party, and can modify them. For more information on the Diffie-Hellman technique, see U.S. Pat. No. 4,200,770, the content of which is incorporated by reference in its entirety.
An improvement has been suggested for the Diffie-Hellman technique, by means of which different parties in a short-range wireless communication technique can be verified. The technique is disclosed in the publication F. Stajano & R. Anderson, The Resurrecting Duckling: Security Issues for Ad-Hoc Wireless Networks, 1999 AT&T SOFTWARE SYMPOSIUM. The technique disclosed in this publication is based on both parties checking that the third and the fourth encryption numbers obtained as a result of the actions described above are identical. This can be conducted, for example, in such a manner that the calculated encryption numbers are displayed in the devices of both parties and the users of the devices compare these numbers with each other. To attain a sufficiently strong encryption (an encryption key of at least 128 bits), the encryption numbers typically have to be strings of at least 32 characters. However, it can be difficult to compare such lengthy strings, and the error probability can be undesirably high.